IAM: re-add testing permissions (GoogleCloudPlatform#2494)

melaniedejong · engelke · commit dac6c9fc91d9 · 2019-10-23T16:02:15.000-07:00
* Added test_permissions function and tests for this doc: https://cloud.google.com/iam/docs/testing-permissions * Adding access tests Adding back tests that were accidentally removed in a previous commit * Lint * Lint Adding newlines at end of files * Lint * Lint * Fix spacing
diff --git a/iam/api-client/access.py b/iam/api-client/access.py
@@ -1,5 +1,3 @@
-# !/usr/bin/env python
-#
 # Copyright 2018 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -31,7 +29,6 @@
 def get_policy(project_id):
     """Gets IAM policy for a project."""
 
-    # pylint: disable=no-member
     credentials = service_account.Credentials.from_service_account_file(
         filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
         scopes=['https://www.googleapis.com/auth/cloud-platform'])
@@ -84,7 +81,6 @@ def modify_policy_remove_member(policy, role, member):
 def set_policy(project_id, policy):
     """Sets IAM policy for a project."""
 
-    # pylint: disable=no-member
     credentials = service_account.Credentials.from_service_account_file(
         filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
         scopes=['https://www.googleapis.com/auth/cloud-platform'])
@@ -100,6 +96,31 @@ def set_policy(project_id, policy):
 # [END iam_set_policy]
 
 
+# [START iam_test_permissions]
+def test_permissions(project_id):
+    """Tests IAM permissions of the caller"""
+
+    credentials = service_account.Credentials.from_service_account_file(
+        filename=os.environ['GOOGLE_APPLICATION_CREDENTIALS'],
+        scopes=['https://www.googleapis.com/auth/cloud-platform'])
+    service = googleapiclient.discovery.build(
+        'cloudresourcemanager', 'v1', credentials=credentials)
+
+    permissions = {
+        "permissions": [
+            "resourcemanager.projects.get",
+            "resourcemanager.projects.delete"
+        ]
+    }
+
+    request = service.projects().testIamPermissions(
+        resource=project_id, body=permissions)
+    returnedPermissions = request.execute()
+    print(returnedPermissions)
+    return returnedPermissions
+# [END iam_test_permissions]
+
+
 def main():
     parser = argparse.ArgumentParser(
         description=__doc__,
@@ -140,6 +161,11 @@ def main():
     set_parser.add_argument('project_id')
     set_parser.add_argument('policy')
 
+    # Test permissions
+    test_permissions_parser = subparsers.add_parser(
+        'test_permissions', help=get_policy.__doc__)
+    test_permissions_parser.add_argument('project_id')
+
     args = parser.parse_args()
 
     if args.command == 'get':
@@ -152,6 +178,8 @@ def main():
         modify_policy_remove_member(args.policy, args.role, args.member)
     elif args.command == 'add_binding':
         modify_policy_add_role(args.policy, args.role, args.member)
+    elif args.command == 'test_permissions':
+        test_permissions(args.project_id)
 
 
 if __name__ == '__main__':
diff --git a/iam/api-client/access_test.py b/iam/api-client/access_test.py
@@ -50,6 +50,10 @@ def test_access(capsys):
     out, _ = capsys.readouterr()
     assert u'etag' in out
 
+    access.test_permissions(project_id)
+    out, _ = capsys.readouterr()
+    assert u'permissions' in out
+
     # deleting the service account created above
     service_accounts.delete_service_account(
         email)
